Threat Intelligence Blog

Simulated Attacks Show C-Level Executives Can Make Easy Targets for Spear-Phishers

Simulated Attacks Show C-Level Executives Can Make Easy Targets for Spear-Phishers

Posted August 20, 2013

Wombat Security Technologies recently talked to Security Week about the on-going problem with executives falling for spear-phishing attacks. Wombat, which specializes in testing a company’s vulnerability to phishing attacks, noted that executives are often the first to fall prey to attackers when it comes to clicking links and providing login data.

Simulated phishing attack results show that C-level executives may be most likely to take the bait and fall for simple or sophisticated spear phishing attacks, Wombat said. In fact, the data shows that corporate executives are still frequently falling for attacks like electronic faxes, fake conference registrations, shipping confirmations, and social media password resets, despite the fact that phishers have used these methods for many years. Not only are executives clicking on potentially malicious links, “some senior executives are actually submitting login credentials,” Wombat said.

In another incident, about 200 employees at Oak Ridge National Laboratory, (the folks who literally built the Atom Bomb and to this day lead some of America’s most sensitive weapons research) were hit with a tailored message that appeared to come from their head of HR. Nearly one third of the targeted individuals fell for the trap, clicking a malicious link that infected their workstations via a flaw in Microsoft Internet Explorer.

Security officials have long preached situational awareness for executives when answering emails, but what about executives using text messaging and social media on phones? How does this change in world where “BYOD”, Bring Your Own Device, is becoming the norm, where executives are using personal smartphones and tablets for work? How about backup and Dropbox-type utilities? What dangers does the “cloud” bring?

Executives obviously have to think about many competing demands for productivity, data access, business goals and security. Even so, an awareness of the risks can help them make more informed decisions about managing those conflicting priorities. For example, as landlines become increasingly obsolete, and a person’s only personal phone number is often cellular, we have found countless examples of executives offering private cell phone numbers as points of contact. In many cases it was posted online entirely outside the professional realm, e.g. on a youth soccer’s teams website where the executive was a coach, or on a PTA newsletter. They simply had not considered the potential availability and utility of that information to a spear-phisher targeting them.

Social media is similarly fraught with competing needs for security awareness vs. openness. It can be a great medium for developing new business, contacts or professional opportunities, but it also presents risks to be balanced. One malware-laden social media post can open a treasure trove of information on a mobile device, including contacts, message histories or the names of downloaded apps. If a hacker can see your apps, he can see your bank, email address and social media activity. Likewise, a malware-laced link sent via a LinkedIn message could compromise a work PC or network.

Another common vector is minor/at-home children and spouses. If the executive shares a home computer with their family and logs into work or email from that machine, a malware-laced link on the Facebook wall of an executive’s child can compromise that home PC, and the home computer, often less patched and protected than a work machine, can be compromised. This is why, in addition to educating executives, it is often wise to educate their family members about the risks of social media, too. Although keeping bad actors away from the CEO is a security team’s primary job, the definition of the word “away” is rapidly evolving. An adversary can be in anywhere on earth and be figuratively in the executive’s brain with a bit of up-front reconnaissance, a well-crafted phishing message and a piece of malware.